What does the General Data Protection Regulation (GDPR) require regarding a Data Protection Officer (or DPO)? This is one of the questions the GDPR, which the European Parliament recently adopted, has made many organisations ask. Another one of those questions is: What are some of the implications of those requirements for those that the GDPR applies to (those who either do business in Europe or have dealings with the personal information of European citizens)? The shortest answer to give to these questions is that if the GDPR applies to your business, the Data Protection Officer position is a key position to think about.
What is a Data Protection Officer (or DPO)?
Controllers and processors of data, in terms of the GDPR, appoint a Data Protection Officer (or DPO) to help them comply with data protection law. Once appointed, the officer looks into the risks that data processing can expose a business to. The officer helps the business in their attempts to avoid those risks. Basically, the officer is the link between the public (including other businesses that you may work with) and your business, when it comes to the processing of personal information. This means that the public can direct their data protection queries to this officer. The officer will then report directly to management, and must be given all resources necessary to carry out their functions.
Who needs a Data Protection Officer?
The GDPR is very clear on the organisations that require a Data Protection Officer. Organisations that:
- have core operations which include the processing of data through mass systematic and regular monitoring of data subjects; or
- process the special personal information (race, ethnicity, and biometric data) of data subjects on a large scale,
have to appoint a Data Protection Officer.
The GDPR does NOT require every controller and processor to appoint a Data Protection Officer.
A private body does not have to appoint one if:
- its main activities only seldom involve monitoring data subjects and with little infringement on those data subjects’ rights,
- it does not process special personal information at all, or
- is only processing the special personal information of a small group of data subjects.
It is also possible, however, for organisations in a group structure to come together and appoint one even when the GDPR doesn’t require them to do so. But the Article 29 Working Party Guidelines on Data Protection recommend that where it isn’t entirely obvious whether or not the GDPR requires them to have a Data Protection Officer, the organisations follow and document a step-by-step analysis of why they think they do not have to make the appointment. For the whole discussion from the Article 29 Working Party on Data Protection, read the guidelines they adopted on the 13th of December 2016.
Actions you can take
- Answer the question “what is the GDPR,” and understand what it requires from your organisation by attending a GDPR workshop or asking us to answer your questions.
- Be well-placed to deliver on all the duties of the Data Protection Officer job by asking us to advise you.
- Subscribe to the Michalsons newsletter to receive future updates.